Rick's b.log - entry 2025/01/12

XSS vuln and bug bounties

I received the following email this morning:

Clearly nobody at OpenBugBounty uses mobile devices.

"Dear Security Team"? Oh, they must mean the cat that owns this human.

Let's see what's up. Here is a link to the report, and note that it uses CloudFlare to verify you are a human before allowing access, so it probably won't work on NetSurf.

As expected, there was no information other than to say that my site suffered from a Cross Site Scripting Vulnerability. This is logical, as proper disclosure requires one to publicise things only after it has been patched and/or a period of time has elapsed with nothing having been done.

Four things stood out to me.

The first was that there wasn't any sort of actual identification of the reporter. The name given was "Mr Jack". The domain mentioned was registered with NameCheap Inc and was a small single page of broken HTML. The Twitter link went to a "The account doesn't exist" page (the above text gave an entirely different link), and the Facebook link said "This content isn't available at the moment". Hmm...

The second thing that I noticed was this appears to have been the result of an automated scanner. The "Reports" tab listed some sixty seemingly random sites this weekend alone, and since Christmas 2023 there have been 1,085 pages of reports - or about 21,700 so far at 20 per page (phew!) though the site says 16,597 (still, phew!).

I note also that the scan was performed giving the URL "heyrick.co.uk", which for several years now has been a quiet redirect to "heyrick.eu". I wonder what outdated link Mr Jack found?

Finally, this part of the page:

I can't help but think that SWIFT to an American bank would have big charges.

While it's a perfectly reasonable request for a commercial or company site, I'm afraid $300 really doesn't work for me as this is a personal hobby site with a strict no-advertising policy. I don't make money from it, the donations asked for on the right go to the person hosting this site, not to me. And, anyway, I would need to bust my balls for nearly a week to earn that sort of money.

So my options were clearly "ignore it and hope it goes away" or "pay money I don't have for a bug report".
The problem with us neurodivergent types is that we're good at looking at a binary choice and then picking a third option.

That third option was a free online XSS scanner. Which I used, and in about five minutes it located the problem.

The problem was as follows: The blog entry URL is laid out in the form "/blog/index.php?diary=<year><month><day>", and you could inject some unwanted content into the page by putting it there in place of the expected date.

The reason for this was, quite simply, some debugging code that I forgot to remove. You see, if the parameter given is unrecognised, it will give an "unrecognised date" page, and if it looked more like somebody trying something, it would tell them to stop wasting their time as there is no back door - the secret way in is not tictactoe with the password joshua.
However, when it did that, it also embedded in the HTML a comment that reported what the input actually was. This was placed there during development in order to check that the detection wasn't chomping on anything that was actually wanted, and wasn't throwing errors for simple mistakes.
For example index.php?diary=202501111 (a digit too many) and index.php?diary=2025011!1 (accidental shift) will simply say that an invalid date was specified, and index.php?bollocks will just redirect to the latest entry as if no date had been given. But index.php?diary=<bollocks> will tell you to stop wasting your time.

There was, however, a problem in that a carefully crafted link would be able to break out of the comment and embed content into the page.
Something like: index.php?diary=%27"-->something nasty here

Fixing that was a simple matter of commenting out the debug code so the actual input was never reported back - basically adding two slashes to the script in the right place.

This vulnerability did not affect the server, and only would have affected you if you followed a tainted link. Since it uses a GET request, you may well have spotted something was wrong first, although, admittedly, modern browsers and email clients go to extreme lengths to obscure where links actually go "for user convenience" because "Click Me" is much friendlier than several lines of gibberish.
And this is why people keep on getting duped by scam sites. The link might say britishgas.co.uk and the site might look like British Gas and it might even have a little padlock so your browser doesn't complain, would you necessarily notice if the URL was britgas.co.uk or brittishgas.co.uk?
I'm not picking on British Gas here, just thinking of a utility who scammers may want to impersonate.

As an aside, I noticed that the code to provide the canonical/alternative references (that is to say, the desktop and mobile versions of a page pointing at each other and saying "we're the same only different") was simply echoing a modified version of the input URL. This wasn't a vulnerability as it wasn't altering the content, rather simply repeating the bad input which wasn't ideal.
On further examination, it was broken in other ways, like pointing to a mobile version of the versions log, which doesn't exist because that's a static page that borrows the blog theme, rather than being a built page within the blog system (so there is no mobile alternative). And, also, trying to claim a potentially non-existent page (whatever the current date was) as an alternative for the "invalid date" report.

That bit of code was replaced with something a lot smarter. It was hard going, not in terms of code, but because I was doing it on my mobile phone. So AndFTP to pull the PHP file. Then ES Explorer (an old pre-malware version) to find the file, then edit it using ES Note Editor, then back to AndFTP to push it back to the server, and then over to Chrome to refresh the page and discover... I forget a quote mark or the autocorrect "helpfully" changed substr to substrate and other facepalm-inducing nonsense.

I would like to thank Mr Jack for bringing this problem to my attention.
And the moral, kiddies, is to remember to disable your debugging code!

Ah-ha! It looks like Wocki's site has an XSS vulnerability (marked unpatched, due for disclosure in five days) and my site in its .co.uk form is mentioned there. The vulnerability test bot probably crawled that link along the way and added it to the "to do" list.

Now if we dig in a little deeper, Mr Jack isn't getting rich off of this. He has made 16,597 reports since 2023/12/25 (did he get fibre for Christmas? ☺) with 270 being "VIP sites" and... only NINE vulnerabilities have been patched.
I don't know whether people are doing what I did and fixing it themselves, or if they just don't care. I think we can hazard a guess, don't you?

This looks like a chart of AI content theft versus f**ks given by the AI companies.

Missing FreeSat listings

Perhaps turning it off and on again would help?

Your comments:

Please note that while I check this page every so often, I am not able to control what users write; therefore I disclaim all liability for unpleasant and/or infringing and/or defamatory material. Undesired content will be removed as soon as it is noticed. By leaving a comment, you agree not to post material that is illegal or in bad taste, and you should be aware that the time and your IP address are both recorded, should it be necessary to find out who you are. Oh, and don't bother trying to inline HTML. I'm not that stupid! ☺
As of February 2025, commenting is no longer available to UK residents, following the implementation of the vague and overly broad Online Safety Act. You must tick the box below to verify that you are not a UK resident, and you expressly agree if you are in fact a UK resident that you will indemnify me (Richard Murray), as well as the person maintaining my site (Rob O'Donnell), the hosting providers, and so on. It's a shitty law, complain to your MP.
It's not that I don't want to hear from my British friends, it's because your country makes stupid laws.
 
You can now follow comment additions with the comment RSS feed. This is distinct from the b.log RSS feed, so you can subscribe to one or both as you wish.

Rick, 12th January 2025, 20:21

I can hear things scurry in the loft. The little critters are like "it's so bloody cold out there we'd rather take our chances with the owl than stay outside". 🐁    Meanwhile, the owl is like "Fast food home delivery? Awesome!". 🦉

jgh back from Japan, 14th January 2025, 17:49

Some years ago a couple of comments on StarDot told me my site was being blocked by Google as "a spam site" (or summut). As with you, I dug through and found a handlul of files with <!-- script nonsense here --> that had appeared somehow. I simple did a top-to-bottom virus scan on my WinPC that I use for uploading, that set the "ftp files since" modified date to yaayy back, and set the "update site" proggy going - and it simply overwrote nearly everything from fresh.    I never found how the script thingy got into the files, I can only think it either something on my WinPC that intercepted FTP uploads that I'd squashed ages ago so was not there for the deep virus scan to find - but the infected files were still on the server. Or I'd done a few "quick change" uploads from somebody else's machine sometime, on an infected machine.    The biggest engrumblance was jumping through Google's hoops to convince it (them? what is Google's pronouns?) that mdfs.net should be allowed to appear in search results.

A tree-dwelling mammal, 15th January 2025, 10:13

A few years back I'd set up a vhost for a friend who'd put together a web site for a local pub. Someone else then took it over and installed a Javascript-based CMS (I think called SnippetMaster?) onto the site. Of course this CMS had more holes than a cheese grater.    The first I knew about this was when I happened to log in to the co-lo server and noticed a whole bunch of IRC bots running, and a whole lot of 'w4r3z' in some of the web site directories.    The issue of course was that for SnippetMaster to work, the entire directory for that site needed to be writeable by the same user that was running Apache (so usually group writeable by "www"). Once the back door was used, someone used it to install a remote web shell onto the server, start a bunch of eggdrops and also infect other pages where permissions weren't set correctly.    Rick - you may recall this happening, as heyrick was hosted on my server at that time. Some rather nasty malicious javascript code got appended to the main heyrick PHP script.    This is why I no longer allow third parties shell access to the server (unless it's someone I completely trust). And I certainly won't allow an untested CMS to be installed on a third party web site. I've created my own CMS which doesn't need write access to anything, as all content is stored in a MySQL database.    Not had any issues since. Apart from the server's PSU going bang and all the magic smoke coming out back in 2010 (again Rick you probably remember this as heyrick went dark as a result). A new PSU sorted that out though.

Add a comment (v0.12) [help?] . . . try the comment feed!
		Your name
		Your email	(optional)
		Validation	Are you real? Please type 54409 backwards.
		UK resident	Check to verify that you are NOT a UK resident.
		Your comment